4a. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
Do not include any binary programs in your backup as these
may have been compromised. You should re-install binary
programs and libraries from their original medium.

5. Wipe the OS partition / drive clean.
(You are unlikely to be able to clean up a compromised system by
hand. So, grit your teeth and reformat that sucker.)

5a. (Suggested by Andreas Braeutigam <abrae@freenet.de> 02-26-02)
(This is *not* an exact quote but is a paraphrase)
Reformat may give the wrong impression that a time consuming
format of the entire drive is needed. Rather than reformat
the entire drive wipe out the MBR, partition boot sectors
root partition and any other partition containing executable
files that may be compromised.

6a. (Suggested by Bill Unruh <unruh@physics.ubc.ca> 12-21-2001)
Then, scan all of the files which you saved for suid
programs:

find / -perm +6000 -ls

6b. (Suggested by Bill Unruh <unruh@physics.ubc.ca> 12-21-2001)
Make sure that each of those files which are reported
should actually be suid or sgid.
If they are system files, check them with:

rpm -Vf /name/of/file

If they are in your or others home directories, they almost
certainly should not be suid, especially not suid root.
For example a file in /tmp, or in /usr/share/man should
never be suid root.

6c. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
When you restore your backup, check all system configuration
files that are restored for any cracks that may have already
been incorporated into these files.

6d. (Suggested by Bill Staehle <withheld on req.> 01-07-2002)

find / \( -nouser -o -nogroup \) -exec ls -lad {} \;

and if anything turns up, determine _why_ the user and/or
group is not in /etc/passwd and/or /etc/group. Who _really_
owns those files/directories? What are they?

7. WHILE OFFLINE install all the patches.

8. Create your own, unique hidden directory and 'cp' files to it
that are essential to system maintenance like 'ls', 'netstat',
'route', 'ifconfig', 'ps', etc.
(Should you be cracked again, God forbid, as long as you don't
have a compromised kernel this will allow you to use these copies
to "see" what a cracker may have done.)

8a. (Suggested by Andreas Braeutigam <abrae@freenet.de> 02-26-02)
I'd rather store those copies on a separate system or a
non-writeable medium. [like a CD-R, floppy diskette with
write protect on, etc.]

8b. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
Check your final installation to see that all known security
bugs have been addressed. There are various utilities that
you can get to help with this, such as port scanners; etc.

8c. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
Install some of the security monitors that exist out there.
I can't give you the names of all of these but there are
monitors like portsentry that constantly scan for connections
to your system, also there are other utilities that
constantly check your system logs and ones that constantly
check the system configuration files for any modifications of
content and/or permissions.

8d. (Suggested by Bill Staehle <withheld on req.> 01-01-2002)
[It] would be better if the program files you put into that
hidden directory are statically compiled, and not using the
possibly corrupted dynamic libraries. It also assumes that
the kernel doesn't get messed with. _At this time_ these
concerns are not big, but why not stay ahead?

8e. (Suggested by James Knott <james.knott@rogers.com> 01-02-02)
Mount as much of your filesystem as possible as read only. If
the crackers can't write to a partition, they can't change
it. Rename and hide su etc. [as suggested in 8].

9. Then, and only then, set the box up to get online.

10. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
Finally, design and implement a regular backup procedure,
something you should already have done, so that you can limit
any future problems you might have with your system, whether from
cracking; bad configuration; system failure or simply bad users.

10a. (Suggested by Bill Staehle <withheld on req.> 01-01-2002)
[For further security] you could have another system sitting
off a separate network, that randomly grabs a file off of
this box, and does a file comparison externally. If that
other system is not accepting ANY connections from ANYWHERE,
it makes a better intrusion detection system.

What if you have only one machine with one OS installed? You still
need to disconnect, backup and reinstall. To get the patches ask a
friend or acquaintance with a secured system to help download the
patches. Or see if your OS vendor offers the current patches on CD.
If so, order it.

Finally, if all this is too much for you to handle alone consider
hiring an expert to assist you or to do it for you. However, be aware
hiring a consultant that is able to help will probably *not* be
inexpensive. For Linux and UNIX consultants in your area check These:

("-" Suggested by Bill Staehle <withheld on req.> 01-07-2002)
-ftp://ftp.cc.gatech.edu/pub/linux
-ftp://ftp.freesoftware.com/pub/linux/sunsite
-ftp://ftp.flash.net/pub/mirrors/metalab.unc.edu/pub/Linux
-ftp://ftp.yggdrasil.com/mirrors/sunsite
-ftp://ibiblio.org/pub/Linux
-
-Those are anonymous FTP servers. Log in as anonymous, with your
-email address as password, and change to the indicated directory.
-Look for the file "MIRRORS" to find a list of other servers that
-may be more accessabhle to you. Then continue down from this
-directory to ./docs/linux-doc-project/linux-consultants-guide/
-and get one of the versions of the Consultants-Guide:
-
-Consultants-Guide.html.tar.gz
-Consultants-Guide.pdf
-Consultants-Guide.ps.gz
-Consultants-Guide.sgml.gz
-Consultants-Guide.txt

Certified or Authorized resellers and/or consultants will be the
ones most likely to be able to assist you. Those well versed in
Linux and/or UNIX are usually capable of handling the "lesser OS's"
as well.

Finally, NEVER use the word "hacking" to describe "cracking" as there
is a significant difference between a "cracker" and a "hacker". See:

I'm neophyte but i believe it is true that a secure box one day may not be a secure box the following day.
I mean that if you're almost certain that you have made all your possible to secure your box ( assuming the "0" risk is reachabe ), keep being vigilant the other days. Security is always developing...

Then, if you think you're compromised, do NOT loose your nerve ! Be relax and examine step by step your system to check if sth is going wrong or not.

If you have any doubt, any answerless question, just ask in these forums and you'll get the help you need ! ( :p )

just posted this in the tools section, but is also relevant here: FIRE - Forensics tool kit CD, has many trusted binaries (Windows, Solaris and Linux) you can use to help see whats been done as well as a bootable linux distro that you can run, mount all the partitions as read only and then have a poke around from a safe starting point. http://www.security-forums.com/forum/viewtopic.php?t=3260

but what IF they patched /bin/ls and it checks if getuid() == 0 and sets 4755 on /tmp/.xxxx ??
HUH it means that u dont know which file on the system was
patched, and there is no way to check it!

Because using a local copy of any system utility would be doltish to say the least. When conducting a forensic analysis of a possibly compromised machine you use ps/ls and so on from a known good medium which is read only such as a CD or write protected floppy disk. Or you mount the drives with something like Knoppix or another forensics distro.

Plus I'm not sure what point you are making as the outline clearly states:

5. Wipe the OS partition / drive clean.

This is always the best solution, but a forensic analysis must be conducted first so the hows and whys can be documented.

8. Create your own, unique hidden directory and 'cp' files to it
that are essential to system maintenance like 'ls', 'netstat',
'route', 'ifconfig', 'ps', etc.
(Should you be cracked again, God forbid, as long as you don't
have a compromised kernel this will allow you to use these copies
to "see" what a cracker may have done.)

8a. (Suggested by Andreas Braeutigam <abrae-at-freenet.de> 02-26-02)
I'd rather store those copies on a separate system or a
non-writeable medium. [like a CD-R, floppy diskette with
write protect on, etc.]

<...snip...>

ShaolinTiger wrote:

8d. (Suggested by Bill Staehle <withheld on req.> 01-01-2002)
[It] would be better if the program files you put into that
hidden directory are statically compiled, and not using the
possibly corrupted dynamic libraries. It also assumes that
the kernel doesn't get messed with. _At this time_ these
concerns are not big, but why not stay ahead?

Another way to achieve the same thing is to make yourself a Knoppix CD (http://www.knopper.net/knoppix/index-en.html) or equivalent *BEFORE* your system is cracked (or on a friend's machine, if you've already been rooted). This will give you a known good, read-only kernel and utilities that you can use to conduct your forensics.

You could also use a copy of the kernel on floppy (you *do* have a bootable floppy, right?), and statically compiled ls, cp, etc. on a USB thumb drive instead--just make sure both the thumb drive and floppy have write protect set!

Yes...if you are certain you've been hacked and just want your system back ASAP.

If you suspect you may have been hacked, but want to:
1) Know for certain, or
2) Find out how the perpetrator got in, or
3) Conduct an investigation to find out who the perpetrator is, or
4) etc.
...then you might want to do like I said above, and boot from a read-only file system with a known-good kernel and known-good shell so you can poke around and do some forensics.

Furthermore, supose you aren't exactly sure when you were hacked? How far back in your backups do you go? There is a trade-off here, because you want to go far enough back to *know* that you've restored a clean system, but the farther back you go, the more likely you are to lose configs, data, etc.

Granted, you said

Quote:

backup your data and restore from backup

but what portion of your current data do you want to restore once you've reinstalled your base system? If the hacker got in, anything on your machine is suspect. Do you want to restore SSH keys? Config files? Your user/password database? Do you *know* that your data, whatever it is, hasn't been tainted? How about custom scripts to manage your system? Have they been compromised?

Each case is different, but personally, I would like to have as much info as possible before I put the machine back in production. And, it's entirely possible that after doing some forensics you will find that you weren't actually hacked, but a normal process that you hadn't been monitoring tripped your alarms, in which case you don't want to take your system down because there is nothing wrong with it. It's happened to me, once

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forum

Featured Links*

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!View a sample newsletter.